On Wed, 2013-09-11 at 17:00 +0200, Dag-Erling Smørgrav wrote: > OpenSSH in FreeBSD 10 is now built with DNSSEC support, unless you > disable LDNS in src.conf. If DNSSEC is enabled, the default setting for > VerifyHostKeyDNS is "yes". This means that OpenSSH will silently trust > DNSSEC-signed SSHFP records. I consider this a lesser evil than "ask" > (aka "train the user to type 'yes' and hit enter") and "no" (aka "train > the user to type 'yes' and hit enter without even the benefit of a > second opinion"). > > DES
I just ran into a build error related to this: --- libssh.so.5 --- building shared library libssh.so.5 /local/build/staging/freebsd/wand/obj/arm.armv6/local/build/staging/freebsd/wand/src/tmp/usr/bin/ld: cannot find -lldns cc: error: linker command failed with exit code 1 (use -v to see invocation) *** [libssh.so.5] Error code 1 It only happens in one of my many build sandboxes, so I suspect it's related to the WITH/WITHOUT options in effect and perhaps also to the timing of parallel-build stuff. In the sandbox where it fails I have WITHOUT_KERBEROS and WITHOUT_PROFILE so I think that changes the timing of getting to the libssh build. I find that the attached patch fixes it for me. -- Ian
--- Makefile.inc1 Fri Sep 13 21:38:02 2013 -0600 +++ Makefile.inc1 Sat Sep 14 06:47:36 2013 -0600 @@ -1468,7 +1468,7 @@ lib/libcxxrt__L: gnu/lib/libgcc__L lib/libradius lib/libsbuf lib/libtacplus \ ${_cddl_lib_libumem} ${_cddl_lib_libnvpair} \ ${_cddl_lib_libzfs_core} \ - lib/libutil ${_lib_libypclnt} lib/libz lib/msun \ + lib/libutil ${_lib_libypclnt} lib/libldns lib/libz lib/msun \ ${_secure_lib_libcrypto} ${_secure_lib_libssh} \ ${_secure_lib_libssl} @@ -1505,10 +1505,11 @@ cddl/lib/libzfs_core__L: cddl/lib/libnvp .if ${MK_OPENSSL} != "no" _secure_lib_libcrypto= secure/lib/libcrypto _secure_lib_libssl= secure/lib/libssl -lib/libradius__L secure/lib/libssl__L: secure/lib/libcrypto__L +lib/libldns__L lib/libradius__L secure/lib/libssl__L: secure/lib/libcrypto__L .if ${MK_OPENSSH} != "no" _secure_lib_libssh= secure/lib/libssh -secure/lib/libssh__L: lib/libz__L secure/lib/libcrypto__L lib/libcrypt__L +secure/lib/libssh__L: lib/libz__L secure/lib/libcrypto__L lib/libcrypt__L \ + lib/libldns__L .if ${MK_KERBEROS_SUPPORT} != "no" secure/lib/libssh__L: lib/libgssapi__L kerberos5/lib/libkrb5__L \ kerberos5/lib/libhx509__L kerberos5/lib/libasn1__L lib/libcom_err__L \
_______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"